Bug 146890 - SELinux policy prevent new list creation from web interface
Summary: SELinux policy prevent new list creation from web interface
Alias: None
Product: Fedora
Classification: Fedora
Component: mailman (Show other bugs)
(Show other bugs)
Version: 3
Hardware: All Linux
Target Milestone: ---
Assignee: John Dennis
QA Contact:
: 151550 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-02-02 15:55 UTC by John Dennis
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-02-14 21:45:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
python stack trace (4.14 KB, text/html)
2005-02-02 16:01 UTC, John Dennis
no flags Details
avc error message in /var/log/messages (451 bytes, text/plain)
2005-02-02 16:01 UTC, John Dennis
no flags Details

Description John Dennis 2005-02-02 15:55:06 UTC
The SELinux security policy prevents a new list from being created
using the web interface (note: bin/newlist works). Attached are the
mailman stack trace and the avc error message in /var/log/messages.

Note: this was originally reported by Markus Darges
<darges@hrz.uni-siegen.de> on the mm-users mailing list.

Comment 1 John Dennis 2005-02-02 16:01:19 UTC
Created attachment 110549 [details]
python stack trace

Comment 2 John Dennis 2005-02-02 16:01:56 UTC
Created attachment 110550 [details]
avc error message in /var/log/messages

Comment 3 John Dennis 2005-02-02 16:04:50 UTC
Note: short term work arounds include:

1) Disable SELinux

2) use command line interface to create lists (e.g. bin/newlist)

Comment 4 John Dennis 2005-02-03 14:33:17 UTC
[From Markus in a private email]

But that was not the only problem between SELinux and mailman. With 
SELinux turned on I couldn't import a list of new members. I got the 
error that no usable temporary file could be found.
And I wasn't able to change the html sites:

Traceback (most recent call last):
  File "/usr/lib/mailman/scripts/driver", line 87, in run_main
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 123, in main
    ChangeHTML(mlist, cgidata, template_name, doc)
  File "/usr/lib/mailman/Mailman/Cgi/edithtml.py", line 161, in ChangeHTML
    os.mkdir(langdir, 02775)
OSError: [Errno 13] Permission denied: '/var/lib/mailman/lists/ma1/de'

Comment 5 Alberto Barbati 2005-02-08 10:56:08 UTC
About the problem with importing new members ("no usable temporary
directory"), I just filed bug #147466 with a workaround that does not
require SELinux to be disabled.

About this bug, the file policy.conf contains the following policy:

allow mailman_cgi_t mailman_archive_t:dir { read getattr lock search
ioctl add_name remove_name write };

in order to create a list the "create" permission is also necessary
and should be added. However, this does not seem to be enough, as
there is still a problem when Mailman tries to invoke /usr/sbin/postalias:

RuntimeError: command failed: /usr/sbin/postalias /etc/mailman/aliases
(status: 1, Operation not permitted)

audit2allow says that the problem might be fixed by adding the policy:

allow mailman_cgi_t self:unix_dgram_socket create;

however I didn't feel confident to add that, because of my ignorance
about possible repercussions.

Comment 6 John Dennis 2005-02-14 21:45:24 UTC
fixed in latest security policy

Comment 7 Ben Levenson 2005-03-19 17:11:38 UTC
*** Bug 151550 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.